-= Per source details. Do not edit below this line.=-
On install, setup.js walks up to the installer's project tree and scans image files for a 'STEG' marker. When found, it AES-256-CBC-decrypts an embedded steganographic payload that points to a file inside the installer's node_modules and uses a regex (cli.command("build [root]"...finally{...}) to patch that third-party CLI's build command, prepending an import of netspeedutil/inject.js and an await inject() call inside the build's finally block. Once tampered, every subsequent project build runs inject.js, which uses javascript-obfuscator (control-flow flattening, dead-code injection, base64 string-array encoding) to embed an obfuscated client into dist/index.html. That client opens a WebRTC TURN connection to a hardcoded attacker host at 13.234.111.178:3478 as a covert C2 / signaling channel and renders attacker-supplied DOM content to end users of any site the developer ships. The package's stated purpose ('Fast string matching and pattern validation utilities') is a cover story unrelated to the actual code. This is a build-pipeline supply-chain compromise: the installer's production artifacts are silently weaponized against their own end users.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-13T09:22:42Z",
"versions": [
"1.0.13"
],
"sha256": "e07c032df7e95243bcbf1af8d20d23ef9427620fc3050965ca1a3b3ce9faa4f1",
"id": "IN-MAL-2026-010209",
"source": "amazon-inspector",
"import_time": "2026-07-13T10:37:37.939109253Z"
}
]
}{
"evidence_files": [
{
"tlsh": "bb6174c466fa232643a2327bf15b440ab369f4023609d694fa1cdb147f47174e9e36d9",
"sha256": "7efde05d8f284658812cf01c6081f0e4495839048f1f8f6ce4048cdb1deced49",
"path": "setup.js"
},
{
"tlsh": "d0d1c685bcf32190426360bad27fd10a6232e5433509d9587f8cda519f9871cadb77dc",
"sha256": "01a8d0caa80766a19edd7f016a2dd6c2d89a7d6815a3f7566681ebe2ec3419a0",
"path": "inject.js"
},
{
"tlsh": "9dd0c2208c21ea6326c926950479c4436ab24c1b0204ac6c97c310a8868e3ff59be30e",
"sha256": "42857935f9c782d95b778fa65b7bb0e29849a57bc92a163469bec277c09fbedb",
"path": "package.json"
}
],
"package_integrity": [
{
"hashes": {
"sha1": "d98c7d0d3c8da0118074c9d95cb6e8e946f2c53b",
"sha512_sri": "sha512-CJs9D8nxvXMTYdEjwFJzOwXynDYXIwmwu4MJPVJqnSUy/xftPZ300fVhaKCb2FiCvzWqRh4Q3I8QzyONZsWAkQ=="
},
"filename": "netspeedutil-1.0.13.tgz"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/netspeedutil/MAL-2026-10438.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]